Use Elasticsearch for time series data

Use Elasticsearch for time series data

Elasticsearch offers features to help you store, manage, and search time series data, such as logs and metrics. Once in Elasticsearch, you can analyze and visualize your data using Kibana and other Elastic Stack features.

Set up data tiers

Elasticsearch’s ILM feature uses data tiers to automatically move older data to nodes with less expensive hardware as it ages. This helps improve performance and reduce storage costs.

The hot and content tiers are required. The warm, cold, and frozen tiers are optional.

Use high-performance nodes in the hot and warm tiers for faster indexing and faster searches on your most recent data. Use slower, less expensive nodes in the cold and frozen tiers to reduce costs.

The content tier is not typically used for time series data. However, it’s required to create system indices and other indices that aren’t part of a data stream.

The steps for setting up data tiers vary based on your deployment type:

Elasticsearch Service Self-managed

  1. Log in to the Elasticsearch Service Console.
  2. Add or select your deployment from the Elasticsearch Service home page or the deployments page.
  3. From your deployment menu, select Edit deployment.
  4. To enable a data tier, click Add capacity.

Enable autoscaling

Autoscaling automatically adjusts your deployment’s capacity to meet your storage needs. To enable autoscaling, select Autoscale this deployment on the Edit deployment page. Autoscaling is only available for Elasticsearch Service.

To assign a node to a data tier, add the respective node role to the node’s elasticsearch.yml file. Changing an existing node’s roles requires a rolling restart.

  1. # Content tier
  2. node.roles: [ data_content ]
  3. # Hot tier
  4. node.roles: [ data_hot ]
  5. # Warm tier
  6. node.roles: [ data_warm ]
  7. # Cold tier
  8. node.roles: [ data_cold ]
  9. # Frozen tier
  10. node.roles: [ data_frozen ]

We recommend you use dedicated nodes in the frozen tier. If needed, you can assign other nodes to more than one tier.

  1. node.roles: [ data_content, data_hot, data_warm ]

Assign your nodes any other roles needed for your cluster. For example, a small cluster may have nodes with multiple roles.

  1. node.roles: [ master, ingest, ml, data_hot, transform ]

Register a snapshot repository

The cold and frozen tiers can use searchable snapshots to reduce local storage costs.

To use searchable snapshots, you must register a supported snapshot repository. The steps for registering this repository vary based on your deployment type and storage provider:

Elasticsearch Service Self-managed

When you create a cluster, Elasticsearch Service automatically registers a default found-snapshots repository. This repository supports searchable snapshots.

The found-snapshots repository is specific to your cluster. To use another cluster’s default repository, refer to the Cloud Snapshot and restore documentation.

You can also use any of the following custom repository types with searchable snapshots:

Use any of the following repository types with searchable snapshots:

You can also use alternative implementations of these repository types, for instance MinIO, as long as they are fully compatible. Use the Repository analysis API to analyze your repository’s suitability for use with searchable snapshots.

Create or edit an index lifecycle policy

A data stream stores your data across multiple backing indices. ILM uses an index lifecycle policy to automatically move these indices through your data tiers.

If you use Fleet or Elastic Agent, edit one of Elasticsearch’s built-in lifecycle policies. If you use a custom application, create your own policy. In either case, ensure your policy:

  • Includes a phase for each data tier you’ve configured.
  • Calculates the threshold, or min_age, for phase transition from rollover.
  • Uses searchable snapshots in the cold and frozen phases, if wanted.
  • Includes a delete phase, if needed.

Fleet or Elastic Agent Custom application

Fleet and Elastic Agent use the following built-in lifecycle policies:

  • logs
  • metrics
  • synthetics

You can customize these policies based on your performance, resilience, and retention requirements.

To edit a policy in Kibana, open the main menu and go to Stack Management > Index Lifecycle Policies. Click the policy you’d like to edit.

You can also use the update lifecycle policy API.

  1. resp = client.ilm.put_lifecycle(
  2. name="logs",
  3. policy={
  4. "phases": {
  5. "hot": {
  6. "actions": {
  7. "rollover": {
  8. "max_primary_shard_size": "50gb"
  9. }
  10. }
  11. },
  12. "warm": {
  13. "min_age": "30d",
  14. "actions": {
  15. "shrink": {
  16. "number_of_shards": 1
  17. },
  18. "forcemerge": {
  19. "max_num_segments": 1
  20. }
  21. }
  22. },
  23. "cold": {
  24. "min_age": "60d",
  25. "actions": {
  26. "searchable_snapshot": {
  27. "snapshot_repository": "found-snapshots"
  28. }
  29. }
  30. },
  31. "frozen": {
  32. "min_age": "90d",
  33. "actions": {
  34. "searchable_snapshot": {
  35. "snapshot_repository": "found-snapshots"
  36. }
  37. }
  38. },
  39. "delete": {
  40. "min_age": "735d",
  41. "actions": {
  42. "delete": {}
  43. }
  44. }
  45. }
  46. },
  47. )
  48. print(resp)
  1. const response = await client.ilm.putLifecycle({
  2. name: "logs",
  3. policy: {
  4. phases: {
  5. hot: {
  6. actions: {
  7. rollover: {
  8. max_primary_shard_size: "50gb",
  9. },
  10. },
  11. },
  12. warm: {
  13. min_age: "30d",
  14. actions: {
  15. shrink: {
  16. number_of_shards: 1,
  17. },
  18. forcemerge: {
  19. max_num_segments: 1,
  20. },
  21. },
  22. },
  23. cold: {
  24. min_age: "60d",
  25. actions: {
  26. searchable_snapshot: {
  27. snapshot_repository: "found-snapshots",
  28. },
  29. },
  30. },
  31. frozen: {
  32. min_age: "90d",
  33. actions: {
  34. searchable_snapshot: {
  35. snapshot_repository: "found-snapshots",
  36. },
  37. },
  38. },
  39. delete: {
  40. min_age: "735d",
  41. actions: {
  42. delete: {},
  43. },
  44. },
  45. },
  46. },
  47. });
  48. console.log(response);
  1. PUT _ilm/policy/logs
  2. {
  3. "policy": {
  4. "phases": {
  5. "hot": {
  6. "actions": {
  7. "rollover": {
  8. "max_primary_shard_size": "50gb"
  9. }
  10. }
  11. },
  12. "warm": {
  13. "min_age": "30d",
  14. "actions": {
  15. "shrink": {
  16. "number_of_shards": 1
  17. },
  18. "forcemerge": {
  19. "max_num_segments": 1
  20. }
  21. }
  22. },
  23. "cold": {
  24. "min_age": "60d",
  25. "actions": {
  26. "searchable_snapshot": {
  27. "snapshot_repository": "found-snapshots"
  28. }
  29. }
  30. },
  31. "frozen": {
  32. "min_age": "90d",
  33. "actions": {
  34. "searchable_snapshot": {
  35. "snapshot_repository": "found-snapshots"
  36. }
  37. }
  38. },
  39. "delete": {
  40. "min_age": "735d",
  41. "actions": {
  42. "delete": {}
  43. }
  44. }
  45. }
  46. }
  47. }

To create a policy in Kibana, open the main menu and go to Stack Management > Index Lifecycle Policies. Click Create policy.

You can also use the update lifecycle policy API.

  1. resp = client.ilm.put_lifecycle(
  2. name="my-lifecycle-policy",
  3. policy={
  4. "phases": {
  5. "hot": {
  6. "actions": {
  7. "rollover": {
  8. "max_primary_shard_size": "50gb"
  9. }
  10. }
  11. },
  12. "warm": {
  13. "min_age": "30d",
  14. "actions": {
  15. "shrink": {
  16. "number_of_shards": 1
  17. },
  18. "forcemerge": {
  19. "max_num_segments": 1
  20. }
  21. }
  22. },
  23. "cold": {
  24. "min_age": "60d",
  25. "actions": {
  26. "searchable_snapshot": {
  27. "snapshot_repository": "found-snapshots"
  28. }
  29. }
  30. },
  31. "frozen": {
  32. "min_age": "90d",
  33. "actions": {
  34. "searchable_snapshot": {
  35. "snapshot_repository": "found-snapshots"
  36. }
  37. }
  38. },
  39. "delete": {
  40. "min_age": "735d",
  41. "actions": {
  42. "delete": {}
  43. }
  44. }
  45. }
  46. },
  47. )
  48. print(resp)
  1. const response = await client.ilm.putLifecycle({
  2. name: "my-lifecycle-policy",
  3. policy: {
  4. phases: {
  5. hot: {
  6. actions: {
  7. rollover: {
  8. max_primary_shard_size: "50gb",
  9. },
  10. },
  11. },
  12. warm: {
  13. min_age: "30d",
  14. actions: {
  15. shrink: {
  16. number_of_shards: 1,
  17. },
  18. forcemerge: {
  19. max_num_segments: 1,
  20. },
  21. },
  22. },
  23. cold: {
  24. min_age: "60d",
  25. actions: {
  26. searchable_snapshot: {
  27. snapshot_repository: "found-snapshots",
  28. },
  29. },
  30. },
  31. frozen: {
  32. min_age: "90d",
  33. actions: {
  34. searchable_snapshot: {
  35. snapshot_repository: "found-snapshots",
  36. },
  37. },
  38. },
  39. delete: {
  40. min_age: "735d",
  41. actions: {
  42. delete: {},
  43. },
  44. },
  45. },
  46. },
  47. });
  48. console.log(response);
  1. PUT _ilm/policy/my-lifecycle-policy
  2. {
  3. "policy": {
  4. "phases": {
  5. "hot": {
  6. "actions": {
  7. "rollover": {
  8. "max_primary_shard_size": "50gb"
  9. }
  10. }
  11. },
  12. "warm": {
  13. "min_age": "30d",
  14. "actions": {
  15. "shrink": {
  16. "number_of_shards": 1
  17. },
  18. "forcemerge": {
  19. "max_num_segments": 1
  20. }
  21. }
  22. },
  23. "cold": {
  24. "min_age": "60d",
  25. "actions": {
  26. "searchable_snapshot": {
  27. "snapshot_repository": "found-snapshots"
  28. }
  29. }
  30. },
  31. "frozen": {
  32. "min_age": "90d",
  33. "actions": {
  34. "searchable_snapshot": {
  35. "snapshot_repository": "found-snapshots"
  36. }
  37. }
  38. },
  39. "delete": {
  40. "min_age": "735d",
  41. "actions": {
  42. "delete": {}
  43. }
  44. }
  45. }
  46. }
  47. }

Create component templates

If you use Fleet or Elastic Agent, skip to Search and visualize your data. Fleet and Elastic Agent use built-in templates to create data streams for you.

If you use a custom application, you need to set up your own data stream. A data stream requires a matching index template. In most cases, you compose this index template using one or more component templates. You typically use separate component templates for mappings and index settings. This lets you reuse the component templates in multiple index templates.

When creating your component templates, include:

  • A date or date_nanos mapping for the @timestamp field. If you don’t specify a mapping, Elasticsearch maps @timestamp as a date field with default options.
  • Your lifecycle policy in the index.lifecycle.name index setting.

Use the Elastic Common Schema (ECS) when mapping your fields. ECS fields integrate with several Elastic Stack features by default.

If you’re unsure how to map your fields, use runtime fields to extract fields from unstructured content at search time. For example, you can index a log message to a wildcard field and later extract IP addresses and other data from this field during a search.

To create a component template in Kibana, open the main menu and go to Stack Management > Index Management. In the Index Templates view, click Create component template.

You can also use the create component template API.

  1. resp = client.cluster.put_component_template(
  2. name="my-mappings",
  3. template={
  4. "mappings": {
  5. "properties": {
  6. "@timestamp": {
  7. "type": "date",
  8. "format": "date_optional_time||epoch_millis"
  9. },
  10. "message": {
  11. "type": "wildcard"
  12. }
  13. }
  14. }
  15. },
  16. meta={
  17. "description": "Mappings for @timestamp and message fields",
  18. "my-custom-meta-field": "More arbitrary metadata"
  19. },
  20. )
  21. print(resp)
  22. resp1 = client.cluster.put_component_template(
  23. name="my-settings",
  24. template={
  25. "settings": {
  26. "index.lifecycle.name": "my-lifecycle-policy"
  27. }
  28. },
  29. meta={
  30. "description": "Settings for ILM",
  31. "my-custom-meta-field": "More arbitrary metadata"
  32. },
  33. )
  34. print(resp1)
  1. response = client.cluster.put_component_template(
  2. name: 'my-mappings',
  3. body: {
  4. template: {
  5. mappings: {
  6. properties: {
  7. "@timestamp": {
  8. type: 'date',
  9. format: 'date_optional_time||epoch_millis'
  10. },
  11. message: {
  12. type: 'wildcard'
  13. }
  14. }
  15. }
  16. },
  17. _meta: {
  18. description: 'Mappings for @timestamp and message fields',
  19. "my-custom-meta-field": 'More arbitrary metadata'
  20. }
  21. }
  22. )
  23. puts response
  24. response = client.cluster.put_component_template(
  25. name: 'my-settings',
  26. body: {
  27. template: {
  28. settings: {
  29. 'index.lifecycle.name' => 'my-lifecycle-policy'
  30. }
  31. },
  32. _meta: {
  33. description: 'Settings for ILM',
  34. "my-custom-meta-field": 'More arbitrary metadata'
  35. }
  36. }
  37. )
  38. puts response
  1. const response = await client.cluster.putComponentTemplate({
  2. name: "my-mappings",
  3. template: {
  4. mappings: {
  5. properties: {
  6. "@timestamp": {
  7. type: "date",
  8. format: "date_optional_time||epoch_millis",
  9. },
  10. message: {
  11. type: "wildcard",
  12. },
  13. },
  14. },
  15. },
  16. _meta: {
  17. description: "Mappings for @timestamp and message fields",
  18. "my-custom-meta-field": "More arbitrary metadata",
  19. },
  20. });
  21. console.log(response);
  22. const response1 = await client.cluster.putComponentTemplate({
  23. name: "my-settings",
  24. template: {
  25. settings: {
  26. "index.lifecycle.name": "my-lifecycle-policy",
  27. },
  28. },
  29. _meta: {
  30. description: "Settings for ILM",
  31. "my-custom-meta-field": "More arbitrary metadata",
  32. },
  33. });
  34. console.log(response1);
  1. # Creates a component template for mappings
  2. PUT _component_template/my-mappings
  3. {
  4. "template": {
  5. "mappings": {
  6. "properties": {
  7. "@timestamp": {
  8. "type": "date",
  9. "format": "date_optional_time||epoch_millis"
  10. },
  11. "message": {
  12. "type": "wildcard"
  13. }
  14. }
  15. }
  16. },
  17. "_meta": {
  18. "description": "Mappings for @timestamp and message fields",
  19. "my-custom-meta-field": "More arbitrary metadata"
  20. }
  21. }
  22. # Creates a component template for index settings
  23. PUT _component_template/my-settings
  24. {
  25. "template": {
  26. "settings": {
  27. "index.lifecycle.name": "my-lifecycle-policy"
  28. }
  29. },
  30. "_meta": {
  31. "description": "Settings for ILM",
  32. "my-custom-meta-field": "More arbitrary metadata"
  33. }
  34. }

Create an index template

Use your component templates to create an index template. Specify:

  • One or more index patterns that match the data stream’s name. We recommend using our data stream naming scheme.
  • That the template is data stream enabled.
  • Any component templates that contain your mappings and index settings.
  • A priority higher than 200 to avoid collisions with built-in templates. See Avoid index pattern collisions.

To create an index template in Kibana, open the main menu and go to Stack Management > Index Management. In the Index Templates view, click Create template.

You can also use the create index template API. Include the data_stream object to enable data streams.

  1. resp = client.indices.put_index_template(
  2. name="my-index-template",
  3. index_patterns=[
  4. "my-data-stream*"
  5. ],
  6. data_stream={},
  7. composed_of=[
  8. "my-mappings",
  9. "my-settings"
  10. ],
  11. priority=500,
  12. meta={
  13. "description": "Template for my time series data",
  14. "my-custom-meta-field": "More arbitrary metadata"
  15. },
  16. )
  17. print(resp)
  1. response = client.indices.put_index_template(
  2. name: 'my-index-template',
  3. body: {
  4. index_patterns: [
  5. 'my-data-stream*'
  6. ],
  7. data_stream: {},
  8. composed_of: [
  9. 'my-mappings',
  10. 'my-settings'
  11. ],
  12. priority: 500,
  13. _meta: {
  14. description: 'Template for my time series data',
  15. "my-custom-meta-field": 'More arbitrary metadata'
  16. }
  17. }
  18. )
  19. puts response
  1. const response = await client.indices.putIndexTemplate({
  2. name: "my-index-template",
  3. index_patterns: ["my-data-stream*"],
  4. data_stream: {},
  5. composed_of: ["my-mappings", "my-settings"],
  6. priority: 500,
  7. _meta: {
  8. description: "Template for my time series data",
  9. "my-custom-meta-field": "More arbitrary metadata",
  10. },
  11. });
  12. console.log(response);
  1. PUT _index_template/my-index-template
  2. {
  3. "index_patterns": ["my-data-stream*"],
  4. "data_stream": { },
  5. "composed_of": [ "my-mappings", "my-settings" ],
  6. "priority": 500,
  7. "_meta": {
  8. "description": "Template for my time series data",
  9. "my-custom-meta-field": "More arbitrary metadata"
  10. }
  11. }

Add data to a data stream

Indexing requests add documents to a data stream. These requests must use an op_type of create. Documents must include a @timestamp field.

To automatically create your data stream, submit an indexing request that targets the stream’s name. This name must match one of your index template’s index patterns.

  1. resp = client.bulk(
  2. index="my-data-stream",
  3. operations=[
  4. {
  5. "create": {}
  6. },
  7. {
  8. "@timestamp": "2099-05-06T16:21:15.000Z",
  9. "message": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
  10. },
  11. {
  12. "create": {}
  13. },
  14. {
  15. "@timestamp": "2099-05-06T16:25:42.000Z",
  16. "message": "192.0.2.255 - - [06/May/2099:16:25:42 +0000] \"GET /favicon.ico HTTP/1.0\" 200 3638"
  17. }
  18. ],
  19. )
  20. print(resp)
  21. resp1 = client.index(
  22. index="my-data-stream",
  23. document={
  24. "@timestamp": "2099-05-06T16:21:15.000Z",
  25. "message": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
  26. },
  27. )
  28. print(resp1)
  1. response = client.bulk(
  2. index: 'my-data-stream',
  3. body: [
  4. {
  5. create: {}
  6. },
  7. {
  8. "@timestamp": '2099-05-06T16:21:15.000Z',
  9. message: '192.0.2.42 - - [06/May/2099:16:21:15 +0000] "GET /images/bg.jpg HTTP/1.0" 200 24736'
  10. },
  11. {
  12. create: {}
  13. },
  14. {
  15. "@timestamp": '2099-05-06T16:25:42.000Z',
  16. message: '192.0.2.255 - - [06/May/2099:16:25:42 +0000] "GET /favicon.ico HTTP/1.0" 200 3638'
  17. }
  18. ]
  19. )
  20. puts response
  21. response = client.index(
  22. index: 'my-data-stream',
  23. body: {
  24. "@timestamp": '2099-05-06T16:21:15.000Z',
  25. message: '192.0.2.42 - - [06/May/2099:16:21:15 +0000] "GET /images/bg.jpg HTTP/1.0" 200 24736'
  26. }
  27. )
  28. puts response
  1. const response = await client.bulk({
  2. index: "my-data-stream",
  3. operations: [
  4. {
  5. create: {},
  6. },
  7. {
  8. "@timestamp": "2099-05-06T16:21:15.000Z",
  9. message:
  10. '192.0.2.42 - - [06/May/2099:16:21:15 +0000] "GET /images/bg.jpg HTTP/1.0" 200 24736',
  11. },
  12. {
  13. create: {},
  14. },
  15. {
  16. "@timestamp": "2099-05-06T16:25:42.000Z",
  17. message:
  18. '192.0.2.255 - - [06/May/2099:16:25:42 +0000] "GET /favicon.ico HTTP/1.0" 200 3638',
  19. },
  20. ],
  21. });
  22. console.log(response);
  23. const response1 = await client.index({
  24. index: "my-data-stream",
  25. document: {
  26. "@timestamp": "2099-05-06T16:21:15.000Z",
  27. message:
  28. '192.0.2.42 - - [06/May/2099:16:21:15 +0000] "GET /images/bg.jpg HTTP/1.0" 200 24736',
  29. },
  30. });
  31. console.log(response1);
  1. PUT my-data-stream/_bulk
  2. { "create":{ } }
  3. { "@timestamp": "2099-05-06T16:21:15.000Z", "message": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736" }
  4. { "create":{ } }
  5. { "@timestamp": "2099-05-06T16:25:42.000Z", "message": "192.0.2.255 - - [06/May/2099:16:25:42 +0000] \"GET /favicon.ico HTTP/1.0\" 200 3638" }
  6. POST my-data-stream/_doc
  7. {
  8. "@timestamp": "2099-05-06T16:21:15.000Z",
  9. "message": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
  10. }

Search and visualize your data

To explore and search your data in Kibana, open the main menu and select Discover. See Kibana’s Discover documentation.

Use Kibana’s Dashboard feature to visualize your data in a chart, table, map, and more. See Kibana’s Dashboard documentation.

You can also search and aggregate your data using the search API. Use runtime fields and grok patterns to dynamically extract data from log messages and other unstructured content at search time.

  1. resp = client.search(
  2. index="my-data-stream",
  3. runtime_mappings={
  4. "source.ip": {
  5. "type": "ip",
  6. "script": "\n String sourceip=grok('%{IPORHOST:sourceip} .*').extract(doc[ \"message\" ].value)?.sourceip;\n if (sourceip != null) emit(sourceip);\n "
  7. }
  8. },
  9. query={
  10. "bool": {
  11. "filter": [
  12. {
  13. "range": {
  14. "@timestamp": {
  15. "gte": "now-1d/d",
  16. "lt": "now/d"
  17. }
  18. }
  19. },
  20. {
  21. "range": {
  22. "source.ip": {
  23. "gte": "192.0.2.0",
  24. "lte": "192.0.2.255"
  25. }
  26. }
  27. }
  28. ]
  29. }
  30. },
  31. fields=[
  32. "*"
  33. ],
  34. source=False,
  35. sort=[
  36. {
  37. "@timestamp": "desc"
  38. },
  39. {
  40. "source.ip": "desc"
  41. }
  42. ],
  43. )
  44. print(resp)
  1. const response = await client.search({
  2. index: "my-data-stream",
  3. runtime_mappings: {
  4. "source.ip": {
  5. type: "ip",
  6. script:
  7. "\n String sourceip=grok('%{IPORHOST:sourceip} .*').extract(doc[ \"message\" ].value)?.sourceip;\n if (sourceip != null) emit(sourceip);\n ",
  8. },
  9. },
  10. query: {
  11. bool: {
  12. filter: [
  13. {
  14. range: {
  15. "@timestamp": {
  16. gte: "now-1d/d",
  17. lt: "now/d",
  18. },
  19. },
  20. },
  21. {
  22. range: {
  23. "source.ip": {
  24. gte: "192.0.2.0",
  25. lte: "192.0.2.255",
  26. },
  27. },
  28. },
  29. ],
  30. },
  31. },
  32. fields: ["*"],
  33. _source: false,
  34. sort: [
  35. {
  36. "@timestamp": "desc",
  37. },
  38. {
  39. "source.ip": "desc",
  40. },
  41. ],
  42. });
  43. console.log(response);
  1. GET my-data-stream/_search
  2. {
  3. "runtime_mappings": {
  4. "source.ip": {
  5. "type": "ip",
  6. "script": """
  7. String sourceip=grok('%{IPORHOST:sourceip} .*').extract(doc[ "message" ].value)?.sourceip;
  8. if (sourceip != null) emit(sourceip);
  9. """
  10. }
  11. },
  12. "query": {
  13. "bool": {
  14. "filter": [
  15. {
  16. "range": {
  17. "@timestamp": {
  18. "gte": "now-1d/d",
  19. "lt": "now/d"
  20. }
  21. }
  22. },
  23. {
  24. "range": {
  25. "source.ip": {
  26. "gte": "192.0.2.0",
  27. "lte": "192.0.2.255"
  28. }
  29. }
  30. }
  31. ]
  32. }
  33. },
  34. "fields": [
  35. "*"
  36. ],
  37. "_source": false,
  38. "sort": [
  39. {
  40. "@timestamp": "desc"
  41. },
  42. {
  43. "source.ip": "desc"
  44. }
  45. ]
  46. }

Elasticsearch searches are synchronous by default. Searches across frozen data, long time ranges, or large datasets may take longer. Use the async search API to run searches in the background. For more search options, see The search API.

  1. resp = client.async_search.submit(
  2. index="my-data-stream",
  3. runtime_mappings={
  4. "source.ip": {
  5. "type": "ip",
  6. "script": "\n String sourceip=grok('%{IPORHOST:sourceip} .*').extract(doc[ \"message\" ].value)?.sourceip;\n if (sourceip != null) emit(sourceip);\n "
  7. }
  8. },
  9. query={
  10. "bool": {
  11. "filter": [
  12. {
  13. "range": {
  14. "@timestamp": {
  15. "gte": "now-2y/d",
  16. "lt": "now/d"
  17. }
  18. }
  19. },
  20. {
  21. "range": {
  22. "source.ip": {
  23. "gte": "192.0.2.0",
  24. "lte": "192.0.2.255"
  25. }
  26. }
  27. }
  28. ]
  29. }
  30. },
  31. fields=[
  32. "*"
  33. ],
  34. source=False,
  35. sort=[
  36. {
  37. "@timestamp": "desc"
  38. },
  39. {
  40. "source.ip": "desc"
  41. }
  42. ],
  43. )
  44. print(resp)
  1. const response = await client.asyncSearch.submit({
  2. index: "my-data-stream",
  3. runtime_mappings: {
  4. "source.ip": {
  5. type: "ip",
  6. script:
  7. "\n String sourceip=grok('%{IPORHOST:sourceip} .*').extract(doc[ \"message\" ].value)?.sourceip;\n if (sourceip != null) emit(sourceip);\n ",
  8. },
  9. },
  10. query: {
  11. bool: {
  12. filter: [
  13. {
  14. range: {
  15. "@timestamp": {
  16. gte: "now-2y/d",
  17. lt: "now/d",
  18. },
  19. },
  20. },
  21. {
  22. range: {
  23. "source.ip": {
  24. gte: "192.0.2.0",
  25. lte: "192.0.2.255",
  26. },
  27. },
  28. },
  29. ],
  30. },
  31. },
  32. fields: ["*"],
  33. _source: false,
  34. sort: [
  35. {
  36. "@timestamp": "desc",
  37. },
  38. {
  39. "source.ip": "desc",
  40. },
  41. ],
  42. });
  43. console.log(response);
  1. POST my-data-stream/_async_search
  2. {
  3. "runtime_mappings": {
  4. "source.ip": {
  5. "type": "ip",
  6. "script": """
  7. String sourceip=grok('%{IPORHOST:sourceip} .*').extract(doc[ "message" ].value)?.sourceip;
  8. if (sourceip != null) emit(sourceip);
  9. """
  10. }
  11. },
  12. "query": {
  13. "bool": {
  14. "filter": [
  15. {
  16. "range": {
  17. "@timestamp": {
  18. "gte": "now-2y/d",
  19. "lt": "now/d"
  20. }
  21. }
  22. },
  23. {
  24. "range": {
  25. "source.ip": {
  26. "gte": "192.0.2.0",
  27. "lte": "192.0.2.255"
  28. }
  29. }
  30. }
  31. ]
  32. }
  33. },
  34. "fields": [
  35. "*"
  36. ],
  37. "_source": false,
  38. "sort": [
  39. {
  40. "@timestamp": "desc"
  41. },
  42. {
  43. "source.ip": "desc"
  44. }
  45. ]
  46. }